Home arrow Software arrow Interpreting HiJackThis Logs in Window...
Watch our Tech Videos 
Dev Hardware Forums 
Computer Cases  
Computer Processors  
Computer Systems  
Digital Cameras  
Flat Panels  
Hardware Guides  
Hardware News  
Input Devices  
Mobile Devices  
Networking Hardware  
PC Cooling  
PC Speakers  
Power Supply Units  
Sound Cards  
Storage Devices  
Tech Interviews  
User Experiences  
Video Cards  
Weekly Newsletter
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Contact Us 
Site Map 
Privacy Policy 
  >>> SIGN UP!  
  Lost Password? 

Interpreting HiJackThis Logs in Windows XP
By: Codex-M
  • Search For More Articles!
  • Disclaimer
  • Author Terms
  • Rating: 5 stars5 stars5 stars5 stars5 stars / 2

    Table of Contents:
  • Interpreting HiJackThis Logs in Windows XP
  • Process Analysis, an Example
  • HJT Group Analysis
  • Malware Removal Steps

  • Rate this Article: Poor Best 
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article


    Interpreting HiJackThis Logs in Windows XP

    (Page 1 of 4 )

    We discussed the basic principles for the use of HiJackThis in yesterday's article. In this article we will go deeper by directly interpreting the HiJackThis Logs. If you do not have any idea of what those logs mean, this article will get you started. Of course, this will not fix all issues pertaining to malware, but it will give you a good head start on your education.

    Assuming you have installed HiJackThis in your computer, turn on System Restore. Now, with an anti-virus installed, we are ready to interpret and fix malware issues using HiJackThis.

    However, note that correcting problems using HiJackThis is considered risky. So take the precautions described in yesterday's article, "Introduction to HiJackThis for Windows XP."

    HJT Process Analysis

    Analyzing HJT (Hijackthis) logs can be broken down into two sub-steps. The first is what I call "process analysis" and the second is called "HJT group code analysis."

    A critical security breach, such as those involving Trojan exploits, can be mostly detected in the process analysis step. These tend to disguise themselves as reputable Windows XP processes (with the .exe extension).

    In the HJT group code analysis, we get into analyzing browser help objects (BHO), registry entries and running Windows services. Most spyware/malware and browser hijackers can be detected in this group.

    Okay, let's start with process analysis. Say that we have this simple log:

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 5:37:44 PM, on 9/8/2009

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v8.00 (8.00.6001.18702)

    Boot mode: Normal

    Running processes:




    A Trojan/malware process does not reside in the correct or intended path, and can be detected by scanners. It is a red flag if the process path is not using its standard path as defined by the community and its vendors. Trojans will not overwrite this legitimate file, because if they do, it will cause a system malfunction. To analyze those .EXE/processes, refer to the flow chart below:

    By first using this tool, we will get the default/standard process path of the file under analysis. Then we compare it to the installed path as reported by HJT, to see if it's the same. If it is, then the process or file is clean.

    If it is not, we will scan it manually (one file at a time) using or and see the results of those top scanners. Alternatively, one of the best free malware detection tools for confirmation is Malwarebytes Anti-Malware, which you can download for free. Install it in your computer, and then right click on the file and choose "Scan with Malwarebytes Anti-Malware." If it is indeed a Trojan/malware, we will remove it using HJT or the anti-malware software.

    If the file is not infected as reported by the scanning system provided above, it is clean and the file is installed in a path that is different from the default. This happens in other configurations when the process exists in different paths. Relying solely on file or process paths can result in false positives.

    More Software Articles
    More By Codex-M

    blog comments powered by Disqus


    - Top Add-ons for Gmail
    - Top Free Photo Editors
    - Administering Google Apps for Your Domain
    - Setting up Google Apps for Your Domain
    - EmailTray Helps Organize Email
    - Portable KeePass Tutorial for Ubuntu Linux a...
    - Windows 7: Applications to Enhance Your OS
    - Windows 7: Great Additions
    - Google Wave Waves Goodbye
    - Netvibes Releases Dashboard Engine
    - Monitoring your Children`s Online Activity w...
    - Evernote: a Lightweight Organizational App
    - A New Way to View Photos Online in 3D
    - Smartphone App iZup Helps Make the Roads Saf...
    - Adobe Elements 8 and Premiere 8 Editing Soft...

    Developer Shed Affiliates


    © 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
    KEITHLEE2zdeconfigurator/configs/INFUSIONSOFT_OVERLAY.phpzdeconfigurator/configs/ OFFLOADING INFUSIONSOFTLOADING INFUSIONSOFT 1debug:overlay status: OFF
    overlay not displayed overlay cookie defined: TI_CAMPAIGN_1012_D OVERLAY COOKIE set:
    status off